Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Local-List Antispam Filtering

 

Antispam filtering allows you to use both a third-party server-based spam block list (SBL) and to optionally create your own local allowlists (benign) and blocklists (malicious) for filtering against e-mail messages. The antispam feature is not meant to replace your antispam server, but to complement it. For more information, see the following topics:

Understanding Local List Antispam Filtering

When creating your own local allowlist and blocklist for antispam filtering, you can filter against domain names, e-mail addresses, and/or IP addresses. Pattern matching works a bit differently depending upon the type of matching in question. For example, pattern matching for domain names uses a longest suffix match algorithm. If the sender e-mail address has a domain name of aaa.bbb.ccc, the device tries to match "aaa.bbb.ccc" in the list. If no match is found, it tries to match "bbb.ccc", and then "ccc". IP address matching, however, does not allow for partial matches.

Antispam filtering uses local lists for matching in the following manner:

  1. Sender IP: The sender IP is checked against the local allowlist, then the local blocklist, and then the SBL IP-based server (if enabled).
  2. Sender Domain: The domain name is checked against the local allowlist and then against the local blocklist.
  3. Sender E-mail Address: The sender e-mail address is checked against the local allowlist and then against the local blocklist.

By default, the device first checks incoming e-mail against the local allowlist and blocklist. If the sender is not found on either list, the device proceeds to query the SBL server over the Internet. When both server-based antispam filtering and local list antispam filtering are enabled, checks are done in the following order:

  1. The local allowlist is checked. If there is a match, no further checking is done. If there is no match...

    Local blocklist and allowlist matching continues after the antispam license key is expired.

  2. The local blocklist is checked. If there is a match, no further checking is done. If there is no match...
  3. The SBL server list is checked.

Local List Antispam Filtering Configuration Overview

For each UTM feature, configure feature parameters in the following order:

  1. Configure UTM custom objects for the feature:

  2. Configure the main feature parameters, using feature profiles.

  3. Configure a UTM policy for each protocol, and attach this policy to a profile.

  4. Attach the UTM policy to a security policy.

Example: Configuring Local List Antispam Filtering

This example shows how to configure local list antispam filtering.

Requirements

Before you begin, review how to configure the feature parameters for each UTM feature. See Local List Antispam Filtering Configuration Overview.

Overview

Antispam filtering uses local lists for matching. When creating your own local allowlist and blocklist for antispam filtering, you can filter against domain names, e-mail addresses, and/or IP addresses.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

GUI Step-by-Step Procedure

To configure local list antispam filtering:

  1. Create local allowlist and blocklist custom objects by configuring a URL pattern list.

    1. Select Configure>Security>UTM>Custom Objects.
    2. In the UTM custom objects configuration window, select the URL Pattern List tab.
    3. Click Add to create URL pattern lists.
    4. Next to URL Pattern Name, type a unique name. Note

      If you are creating a allowlist, it is helpful to indicate this in the list name. The same applies to a blocklist. The name you enter here becomes available in the Address Allowlist and Address Blocklist fields when you are configuring your antispam profiles.

    5. Next to URL Pattern Value, type the URL pattern for allowlist or blocklist antispam filtering.
  2. Configure antispam filtering to use the allowlist and blocklist custom objects.
    1. Select Configure>Security>UTM>Global options.
    2. In the right pane, select the Anti-Spam tab.
    3. Under Anti-Spam, select an Address Allowlist and/or an Address Blocklist from the list for local lists for spam filtering. (These lists are configured as custom objects.)
    4. Click OK.
    5. If the configuration item is saved successfully, you receive a confirmation, and you must click OK again. If it is not saved successfully, click Details in the pop-up window to discover why.
    6. In the left pane under Security, select the Anti-Spam tab.
    7. Click Add to configure an anti-spam profile. The profile configuration pop-up window appears.
    8. In the Profile name box, enter a unique name.
    9. If you are using the default server, select Yes beside Default SBL server. If you are not using the default server, select No.

      If you select No, you are disabling server-based spam filtering. You disable it only if you are using local lists or if you do not have a license for server-based spam filtering.

    10. In the Custom tag string box, type a custom string for identifying a message as spam. By default, the device uses ***SPAM***.
    11. In the Actions list, select the action that the device should take when it detects spam. Options include Tag subject, Block email, and Tag header.
  3. Configure a UTM policy for SMTP to which you attach the antispam profile.
    1. Select Configure>Security>Policy>UTM Policies.
    2. In the UTM policy configuration window, click Add to configure a UTM policy. The policy configuration pop-up window appears.
    3. Select the Main tab.
    4. In the Policy name box, type a unique name.
    5. In the Session per client limit box, type a session per client limit. Valid values range from 0 through 2000.
    6. From the Session per client over limit list, select the action that the device should take when the session per client limit for this UTM policy is exceeded. Options include Log and permit and Block.
    7. Select the Anti-Spam profiles tab.
    8. From the SMTP profile list, select the antispam profile that you are attaching to this UTM policy.
  4. Attach the UTM policy to a security policy.
    1. Select Configure>Security>Policy>FW Policies.
    2. In the Security Policy window, click Add to configure a security policy with UTM. The policy configuration pop-up window appears.
    3. In the Policy tab, type a name in the Policy Name box.
    4. Next to From Zone, select a zone from the list.
    5. Next to To Zone, select a zone from the list.
    6. Choose a source address.
    7. Choose a destination address.
    8. Choose an application by selecting junos-smtp (for antispam) in the Application Sets box and move it to the Matched box.
    9. Next to Policy Action, select one of the following: Permit, Deny, or Reject.

      When you select Permit for policy action, several additional fields become available in the Applications Services tab, including UTM Policy.

    10. Select the Application Services tab.
    11. Next to UTM Policy, select the appropriate policy from the list. This attaches your UTM policy to the security policy.
    12. Click OK to check your configuration and save it as a candidate configuration.
    13. If the policy is saved successfully, you receive a confirmation, and you must click OK again. If the profile is not saved successfully, click Details in the pop-up window to discover why.Note

      You must activate your new policy to apply it.

    14. If you are done configuring the device, click Commit Options>Commit.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure local list antispam filtering:

  1. Configure the local list spam blocking by first creating your global local spam lists.
  2. Configure the local list antispam feature profile by first attaching your custom-object blocklist or allowlist or both.

    When both the allowlist and the blocklist are in use, the allowlist is checked first. If there is no match, then the blocklist is checked.

  3. Configure a profile for your local list spam blocking.

    Although you are not using the SBL for local list spam blocking, you configure your profile from within that command similar to the server-based spam blocking procedure.

  4. Configure the action to be taken by the device when spam is detected (block, tag-header, tag-subject).
  5. Configure a custom string for identifying a message as spam.
  6. Attach the spam feature profile to the UTM policy.
  7. Configure a security policy for UTM, and attach the UTM policy to the security policy.

Results

From configuration mode, confirm your configuration by entering the show security utm and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Antispam Statistics

Purpose

Verify the antispam statistics.

Action

From operational mode, enter the show security utm anti-spam status and show security utm anti-spam statistics commands.

The following information appears:

Related Documentation